Php Unsafe User Controlled Variable
Description
This detector identifies unsafe usage of PHP's extract() function when called with user-controlled input and variable overwriting enabled. The extract() function creates variables from array keys, which can lead to variable pollution attacks where attackers can overwrite existing variables or create new ones, potentially bypassing security checks or modifying application behavior.
Detection Strategy
• Reports vulnerabilities when PHP code calls the extract() function
• The first argument to extract() must come from user input (such as $_GET, $_POST, $_REQUEST, or other user-controllable sources)
• The function call must have variable overwriting enabled (either by default or explicitly through the second parameter)
• All three conditions must be met simultaneously for a vulnerability to be reported
Vulnerable code example
<?php
function unsafe_extract(): void
{
extract($_GET['data']); // Vulnerable: allows variable overwriting from user input
}
function unsafe_explicit(): void...✅ Secure code example
<?php
function safe_extract(): void
{
extract($_GET['data'], EXTR_SKIP); // Safe: EXTR_SKIP prevents overwriting existing variables
}
function safe_explicit(): void...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.